diff --git a/schemas/CMakeLists.txt b/schemas/CMakeLists.txt index 0d369ca7468..95f258560f3 100644 --- a/schemas/CMakeLists.txt +++ b/schemas/CMakeLists.txt @@ -1,2 +1,2 @@ -install(DIRECTORY arf common cpe cve ocil oval sce sds xccdf +install(DIRECTORY arf common cpe ocil oval sce sds xccdf DESTINATION ${OSCAP_DEFAULT_SCHEMA_PATH}) diff --git a/schemas/cve/cce_0.1.xsd b/schemas/cve/cce_0.1.xsd deleted file mode 100644 index a8d29f04aea..00000000000 --- a/schemas/cve/cce_0.1.xsd +++ /dev/null @@ -1,61 +0,0 @@ - - - - - CCE is at an early phase of adoption. This schema is a work in progress and is far from - final. Additional work with using CCEs in a practical setting is required. - - - - - - - - The format for a CCE name is CCE-NNNNNNNNNNN, where NNNNNNNNNNN is a sequence number. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - TODO: What does this identify? - - - - - TODO: should this be an enumeration? - - - - diff --git a/schemas/cve/cpe-language_2.1.xsd b/schemas/cve/cpe-language_2.1.xsd deleted file mode 100644 index b0f8d290d6a..00000000000 --- a/schemas/cve/cpe-language_2.1.xsd +++ /dev/null @@ -1,101 +0,0 @@ - - - - - This XML Schema defines the CPE Language. An individual CPE Name addresses a single part of an actual system. To identify more complex platform types, there needs to be a way to combine different CPE Names using logical operators. For example, there may be a need to identify a platform with a particular operating system AND a certain application. The CPE Language exists to satisfy this need, enabling the CPE Name for the operating system to be combined with the CPE Name for the application. For more information, consult the CPE Specification document. - - CPE Language - Neal Ziring, Andrew Buttner - 2.1 - 01/31/2008 09:00:00 AM - - - - - - - - This element is the root element of a CPE Language XML documents and therefore acts as a container for child platform definitions. - - - - - - - - - - - - - - - - - - - The platform element represents the description or qualifications of a particular IT platform type. The platform is defined by the logical-test child element. The id attribute holds a locally unique name for the platform. There is no defined format for this id, it just has to be unique to the containing language document. - The optional title element may appear as a child to a platform element. It provides a human-readable title for it. To support uses intended for multiple languages, this element supports the ‘xml:lang’ attribute. At most one title element can appear for each language. - The optional remark element may appear as a child of a platform element. It provides some additional description. Zero or more remark elements may appear. To support uses intended for multiple languages, this element supports the ‘xml:lang’ attribute. There can be multiple remarks for a single language. - - - - - - - - - - - The logical-test element appears as a child of a platform element, and may also be nested to create more complex logical tests. The content consists of one or more elements: fact-ref, and logical-test children are permitted. The operator to be applied, and optional negation of the test, are given as attributes. - - - - - - - - - - - The fact-ref element appears as a child of a logical-test element. It is simply a reference to a CPE Name that always evaluates to a Boolean result. - - - - - - - - - The OperatorEnumeration simple type defines acceptable operators. Each operator defines how to evaluate multiple arguments. - - - - - - - - - - - - This type allows the xml:lang attribute to associate a specific language with an element's string content. - - - - - - - - - - - - - Define the format for acceptable CPE Names. A URN format is used with the id starting with the word cpe followed by :/ and then some number of individual components separated by colons. - - - - - - diff --git a/schemas/cve/cve_0.1.xsd b/schemas/cve/cve_0.1.xsd deleted file mode 100644 index c6661bfb5f9..00000000000 --- a/schemas/cve/cve_0.1.xsd +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - - - - - - - - Format for CVE Names is CVE-YYYY-NNNN, where YYYY is the year of publication and NNNN is a sequence number. - - - - - - - - - - - Enumeration containing valid values for CVE status: Candidate, Entry, and Deprecated - - - - - - - - - - - - - - - - - - Status of Vulnerability -- Candidate, Entry, Deprecated - - - - - Free text field to describe the vulnerability - - - - - Discretionary information and links relevant to a given vulnerability referenced by the CVE - - - - - - CVE name in the CVE-YYYY-NNNN format - - - - diff --git a/schemas/cve/cvss-v2_0.2.xsd b/schemas/cve/cvss-v2_0.2.xsd deleted file mode 100644 index c251238e935..00000000000 --- a/schemas/cve/cvss-v2_0.2.xsd +++ /dev/null @@ -1,386 +0,0 @@ - - - - - - - - - - - - Value restriction to single decimal values from 0.0 to 10.0, as used in CVSS scores - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Indicates if the vector has been approximated as the result of an upgrade from a previous CVSS version - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Base type for metrics that defines common attributes of all metrics. - - - - Indicates if the metrics have been upgraded from a previous version of CVSS. If fields that were approximated will have an approximated attribute set to 'true'. - - - - - - - - - "This schema was intentionally designed to avoid mixing classes and attributes between CVSS version 1, CVSS version 2, and future versions. Scores in the CVSS system are interdependent. The temporal score is a multiplier of the base score. The environmental score, in turn, is a multiplier of the temporal score. The ability to transfer these scores independently is provided on the assumption that the user understands the business logic. For any given metric, it is preferred that the score, as a minimum is provided, however the score can be re-created from the metrics or the multiplier and any scores they are dependent on." - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Base severity score assigned to a vulnerability by a source - - - - - Base exploit sub-score assigned to a vulnerability by a source - - - - - Base impact sub-score assigned to a vulnerability by a source - - - - - - Data source the vector was obtained from. Example: http://nvd.nist.gov or com.symantec.deepsight - - - - - - - - - - - - - - - - - - - Data source the vector was obtained from. Example: gov.nist.nvd or com.symantec.deepsight - - - - - - - - - - - - - - - - - The temporal score is the temporal multiplier times the base score. - - - - - The temporal multiplier is a number between zero and one. Reference the CVSS standard for computation. - - - - - - - - - - diff --git a/schemas/cve/nvd-cve-feed_2.0.xsd b/schemas/cve/nvd-cve-feed_2.0.xsd deleted file mode 100644 index 5af181987b7..00000000000 --- a/schemas/cve/nvd-cve-feed_2.0.xsd +++ /dev/null @@ -1,57 +0,0 @@ - - - - - TODO: address distributed with for APP->OS resolution - This schema defines the structure of the National - Vulnerability Database XML feed files version: 1.2. The elements and - attribute in this document are described by xsd:annotation tags. This - file is kept at http://nvd.nist.gov/schema/nvdcve.xsd. The NVD XML - feeds are available at http://nvd.nist.gov/download.cfm. - - Release Notes: - Version 2.0: - * Redesign of the feed to integrate with the new vulnerability data - model schema. - - Version 1.2: - * CVSS version 2 scores and vectors have been added. Please see - http://nvd.nist.gov/cvss.cfm?vectorinfo and - http://www.first.org/cvss/cvss-guide.html for more information on - how to interpret this data. - - - - The root element of the NVD CVE feed. Multiple "entry" child elements describe specific NVD CVE entries. - - - - - - A CVE entry. - - - - - - The schema version number supported by the feed. - - - - - The date the feed was generated. - - - - - - - A CVE entry. - - - diff --git a/schemas/cve/patch_0.1.xsd b/schemas/cve/patch_0.1.xsd deleted file mode 100644 index ce874753cfb..00000000000 --- a/schemas/cve/patch_0.1.xsd +++ /dev/null @@ -1,72 +0,0 @@ - - - - - - - - - - - - - - - - - - - Human-formatted title for the patch. If none given, then duplicate of the name. - - - - - - - - - - - - - - Patches that superceded by the referenced patch. - - - - - Patches that supersede the patch comprising the current XML document. - - - - - - Identifier unique within the XML document for the given patch. - - - - - Vendor supplied name for the patch. Will use lower case and underscores for spaces, consistent with CPE naming conventions. - - - - - Boolean value. True of patch is superseded. False if not. - - - - - Indicates that a patch should not be used -- regardless of supersession. - - - - diff --git a/schemas/cve/scap-core_0.1.xsd b/schemas/cve/scap-core_0.1.xsd deleted file mode 100644 index df129b88bdb..00000000000 --- a/schemas/cve/scap-core_0.1.xsd +++ /dev/null @@ -1,139 +0,0 @@ - - - - - - - - - - - - - Data type for the check element, a checking system specification URI, string content, and an optional external file reference. The checking system specification should be the URI for a particular version of OVAL or a related system testing language, and the content will be an identifier of a test written in that language. The external file reference could be used to point to the file in which the content test identifier is defined. - - - - - - - - - - - - - - - - - The notesType defines an element that consists of one or more child note elements. It is assumed that each of these note elements are representative of the same language as defined by their parent. - - - - - - - - - - - Type for a reference in the description of a CPE item. This would normally be used to point to extra descriptive material, or the supplier's web site, or the platform documentation. It consists of a piece of text (intended to be human-readable) and a URI (intended to be a URL, and point to a real resource). - - - - - - - - - - - - - - - - - - - - This type allows the xml:lang attribute to associate a specific language with an element's string content. - - - - - - - - - - - - - - - - - - - - - - - - - - - Define the format for acceptable CPE Names. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'def', and ending with an integer. - - - - - - - - - Define the format for acceptable - searchableCPE Names. The URI escaped code '%25' may be used - to represent the character '%' which will be interpreted as a - wildcard. - - - - - - - - - The name pattern of a CPE component. - - - - - - - - - The name pattern of the CPE part component. - - - - - - - - - - - - diff --git a/schemas/cve/vulnerability_0.4.xsd b/schemas/cve/vulnerability_0.4.xsd deleted file mode 100644 index f4611fd3a68..00000000000 --- a/schemas/cve/vulnerability_0.4.xsd +++ /dev/null @@ -1,260 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The security protection type - - - - - gain administrative access - - - - - gain user access - - - - - - - - - - - - - - - - - - - - - - - - - A single fix action should only cover a single patch application, software update, configuration change, or external fix. Dependencies should be documented by using the "next_fix_action" element to point to a recursive list of fix actions. - - - - - - - CPE name of the software update package. - - - - - - - - - - States whether the fix action fully avoids the risk associated with the vulnerability or reduces risk to some extent. - - - - - Describes or points to the check/test (either OVAL or other) that this particular fix action addresses. E.G. applying this fix will change the value of this test result. - - - - - - - - Unique value within the source. Will be used with the source element to serve as a global unique identifier. - - - - - Should be a URI-like -- e.g. inverted DNS address e.g mil.jtf-gno - - - - - - - - - - - - - - - - - - - The CPE name of the scanning tool. A value must be supplied for this element. The CPE name can be used for a CPE from the NVD. The CPE title attribute can be used for internal naming conventions. (or both, if possible) - - - - - Defines required signature or policy definition that must be installed on the tool. - - - - - - - - - - - - - - - - - - - - - - - - TODO: Low priority: Add reference to notes type to allow analysts, vendor and other comments. Add source attribute. Maybe categorization? - - - - - - - - - - - - - - - - - - - - - - - Denotes a scanner and required configuration that is capable of detecting the referenced vulnerability. May also be an OVAL definition and omit scanner name. - - - - - - - This element should ultimately be held in a threat model. - - - - - - - - - - - TODO: revisit referenceType and textType - Extends the base "reference" class by adding the ability to specify which kind (within the vulnerability model) of reference it is. See "Vulnerability_Reference_Category_List" enumeration. - - - - - TODO: determine purpose - - - - - - - - - - - - - - diff --git a/schemas/cvrf/1.1/common.xsd b/schemas/cvrf/1.1/common.xsd deleted file mode 100644 index 518a5f89871..00000000000 --- a/schemas/cvrf/1.1/common.xsd +++ /dev/null @@ -1,176 +0,0 @@ - - - - - - - - - - - - This is the XML schema for the Common Vulerability Reporting Framework's common data types. - - Brian Schafer <bschafer@microsoft.com> - Joe Clarke <jclarke@cisco.com> - Joe Hemmerlein <Joe.Hemmerlein@microsoft.com> - 2012-05-07 - CVRF Common Data Types - 1.1 - - - - - - - - A normalized string type that cannot be empty. - - - - - - - - A string type that cannot be empty. - - - - - - - - String type with an optional language attribute. The default language is English. - - - - - - Locale code used for the string value. The default is "en". - - - - - - - - Normalized string type with an optional language attribute. The default language is English. This string cannot be empty. - - - - - - Locale code used for the string value. The default is "en". - - - - - - - - Dotted string representing the document revision - - - - - - - - Types enumerating the type of reference document - - - - - This document is an external reference to the current vulnerability. - - - - - This document is a reference to this same vulnerability. - - - - - - - Types enumerating the various publishers of a document. - - - - - Developers or maintainers of information system products or services. - - - - - Individuals or organizations that find vulnerabilities or security weaknesses. - - - - - Individuals or organizations that manage a single vendor's response or multiple vendors' responses to a vulnerability, a security flaw, or an incident. - - - - - Everyone using a vendor's product. - - - - - Catchall for everyone else. Currently this includes forwarders, re-publishers, language translators and miscellaneous contributors. - - - - - - - Allowed type values for CVRF notes. - - - - - A general, high-level note (Title may have more information). - - - - - A low-level detailed discussion (Title may have more information). - - - - - A description of something (Title may have more information). - - - - - A summary of something (Title may have more information). - - - - - A list of frequently asked questions. - - - - - Any possible legal discussion, including constraints, surrounding the document. - - - - - Something that doesn’t fit (Title should have more information). - - - - - diff --git a/schemas/cvrf/1.1/cpe-language_2.2a.xsd b/schemas/cvrf/1.1/cpe-language_2.2a.xsd deleted file mode 100644 index dfd5f05c037..00000000000 --- a/schemas/cvrf/1.1/cpe-language_2.2a.xsd +++ /dev/null @@ -1,182 +0,0 @@ - - - - - This XML Schema defines the CPE Language. An individual - CPE Name addresses a single part of an actual system. To identify more complex - platform types, there needs to be a way to combine different CPE Names using - logical operators. For example, there may be a need to identify a platform with a - particular operating system AND a certain application. The CPE Language exists to - satisfy this need, enabling the CPE Name for the operating system to be combined - with the CPE Name for the application. For more information, consult the CPE - Specification document. - - CPE Language - Neal Ziring, Andrew Buttner, David Waltermire - 2.2 - 10/27/2008 10:00:00 AM - - - - - - - - - This element is the root element of a CPE - Language XML documents and therefore acts as a container for child platform - definitions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The platform element represents the description - or qualifications of a particular IT platform type. The platform is defined - by the logical-test child element. - - - - - The optional title element may appear as a child - to a platform element. It provides a human-readable title for it. To support - uses intended for multiple languages, this element supports the ‘xml:lang’ - attribute. At most one title element can appear for each language. - - - - - The optional remark element may appear as a child - of a platform element. It provides some additional description. Zero or more - remark elements may appear. To support uses intended for multiple languages, - this element supports the ‘xml:lang’ attribute. There can be multiple - remarks for a single language. - - - - - - - - - - - The id attribute holds a locally unique - name for the platform. There is no defined format for this id, it just has - to be unique to the containing language document. - - - - - - - - The logical-test element appears as a child of a - platform element, and may also be nested to create more complex logical - tests. The content consists of one or more elements: fact-ref, and - logical-test children are permitted. The operator to be applied, and - optional negation of the test, are given as attributes. - - - - - - - - - - - - - - - The fact-ref element appears as a - child of a logical-test element. It is simply a reference to a CPE Name that - always evaluates to a Boolean result. - - - - - - - - - - The OperatorEnumeration simple type defines - acceptable operators. Each operator defines how to evaluate multiple - arguments. - - - - - - - - - - - - This type allows the xml:lang attribute to - associate a specific language with an element's string - content. - - - - - - - - - - - - - Define the format for acceptable CPE Names. A URN - format is used with the id starting with the word cpe followed by :/ and - then some number of individual components separated by - colons. - - - - - - - - - - diff --git a/schemas/cvrf/1.1/cvrf_1.1.xsd b/schemas/cvrf/1.1/cvrf_1.1.xsd deleted file mode 100644 index eeda6cfdfdf..00000000000 --- a/schemas/cvrf/1.1/cvrf_1.1.xsd +++ /dev/null @@ -1,487 +0,0 @@ - - - - - - - - - - - - - - This is the XML schema for the Common Vulnerability Reporting Framework. For more information, see the CVRF whitepaper. - - Brian Schafer <bschafer@microsoft.com> - Joe Clarke <jclarke@cisco.com> - Joe Hemmerlein <Joe.Hemmerlein@microsoft.com> - 2012-05-07 - CVRF Dictionary - 1.1 - - - - - - - - Types enumerating the status of the document. - - - - - Pre-release, intended for issuing party’s internal use only, or possibly used externally when the party is seeking feedback or indicating its intentions regarding a specific issue. - - - - - The issuing party believes the content is subject to change. - - - - - The issuing party asserts the content is unlikely to change. - - - - - - - Floating point number representing the CVRF specification version - - - - - - - - - - - Root element of a CVRF document. - - - - - - A definitive canonical name for the document, providing enough descriptive content to differentiate from other similar documents, ideally providing a unique “handle”. - - - - - - - - - - A short canonical name, chosen by the document producer, which will inform the consumer about the type of the document. - - - - - - - - - - A container holding all information about the publisher of the CVRF document. - - - - - - Author contact information such as address, phone number, email, etc. - - - - - - - - - - The name of the issuing party and their authority to release the document, in particular, the party's constituency and responsibilities or other obligations. - - - - - - - - - - - Type is an enumerated list containing an array of different document publisher types. - - - - - Vendor ID is a unique identifier (OID) that a vendor uses as issued by FIRST under the auspices of IETF. - - - - - - - The Document Tracking meta-container contains all of the attributes necessary to track a CVRF document. - - - - - - Contains document ID and optional document aliases - - - - - - Short unique identifier used to refer to the document unambiguously in any context. - - - - - - - - - - Optional alternative ID for document - - - - - - - - - - - - - The condition of the document with regard to completeness and the likelihood of future editions. - - - - - Document Version is a simple counter to track the version of the document. - - - - - The Document Revision History contains one entry for each substantive version of the document, including the initial version and entries for each subsequent update. - - - - - - A set of Version, Date, and Description elements describing one iteration of this document - - - - - - Revision number of this iteration of the document. - - - - - Date when this iteration of the document was released. - - - - - Description of this iteration of the document. - - - - - - - - - - - - - - - - The initial date (and time, optionally) that the document was initially released by the issuing party. - - - - - The current date (and time, optionally) that the document was released by the issuing party. - - - - - The Document Generator meta-container contains all of the elements related to the generation of the document. - - - - - - The name and version of the engine that generated the CVRF document. - - - - - - - - - - The date the CVRF document was generated. - - - - - - - - - - - The Document Notes text contains all of the individual notes necessary to provide different types of low-level discussions of a CVRF document to various audiences. - - - - - - A individual note in freeform text. - - - - - - - Title should be a concise description of what is contained in this specific note. - - - - - Audience will indicate who is intended to read the note. - - - - - Type of content within this note. - - - - - Ordinal is a locally significant integral counter indexed from 1 used to track notes. - - - - - - - - - - - - The Document Distribution string should contain details on constraints, if any, about sharing this CVRF Document with additional recipients. - - - - - - - - - - Aggregate Severity is provided by the producer of the document to convey the urgency and criticality with which the vulnerability or vulnerabilities should be addressed. - - - - - - - URL of the namespace from which the Aggregate Severity is taken. - - - - - - - - - This meta-container should include references to any conferences, papers, advisories, and other resources that are related and considered to be of value to the document consumer. - - - - - - Related documents to the CVRF document. - - - - - - The URL of the related document. - - - - - The description of the related document. - - - - - - - - - - - Enumerated type value of reference relative to this document. - - - - - - - - - - The Acknowledgments container holds one or more Acknowledgement containers for document-level acknowledgements. - - - - - - The Acknowledgment container holds recognition details for external parties, specific to the document as a whole rather than individual vulnerabilities. - - - - - - The name (i.e., individual name) of the party being acknowledged. - - - - - - - - - - The organization of the party being acknowledged or the organization itself being acknowledged. - - - - - - - - - - The details of the acknowledgment that address the recognition of external parties who were instrumental in the discovery, reporting and response of this document. - - - - - - - - - - The optional URL to the person, place, or thing being acknowledged. - - - - - - - - - - - - - - - This is to ensure that each Vulnerability's Ordinal uses a unique value. - - - - - - - This is to ensure that each note has a unique ordinal value. - - - - - - - A key to reference a specific product defined in a referenced product schema. - - - - - - - An instance of the ProductKey to be used in the ProductID element for affected products. - - - - - - - An instance of the ProductKey to be used in the CVSS ScoreSet product references. - - - - - - - An instance of the ProductKey to be used in the Threat product references. - - - - - - - An instance of the ProductKey to be used in the Remediation product references. - - - - - - - A key to reference a specific product group defined in a referenced product schema. - - - - - - - An instance of the GroupKey to be used in the Threat product references. - - - - - - - An instance of the GroupKey to be used in the Remediation product references. - - - - - - diff --git a/schemas/cvrf/1.1/cvss-v2_0.9.xsd b/schemas/cvrf/1.1/cvss-v2_0.9.xsd deleted file mode 100644 index f68fb81cffe..00000000000 --- a/schemas/cvrf/1.1/cvss-v2_0.9.xsd +++ /dev/null @@ -1,415 +0,0 @@ - - - - - - - - - - - - Value restriction to single decimal values from 0.0 to 10.0, as used in CVSS scores - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Indicates if the vector has been approximated as the result of an upgrade from a previous CVSS version - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "This schema was intentionally designed to avoid mixing classes and attributes between CVSS version 1, CVSS version 2, and future versions. Scores in the CVSS system are interdependent. The temporal score is a multiplier of the base score. The environmental score, in turn, is a multiplier of the temporal score. The ability to transfer these scores independently is provided on the assumption that the user understands the business logic. For any given metric, it is preferred that the score, as a minimum is provided, however the score can be re-created from the metrics or the multiplier and any scores they are dependent on." - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Base type for metrics that defines common attributes of all metrics. - - - - Indicates if the metrics have been upgraded from a previous version of CVSS. If fields that were approximated will have an approximated attribute set to 'true'. - - - - - - - - - - - - - Base severity score assigned to a vulnerability by a source - - - - - Base exploit sub-score assigned to a vulnerability by a source - - - - - Base impact sub-score assigned to a vulnerability by a source - - - - - - Data source the vector was obtained from. Example: http://nvd.nist.gov or com.symantec.deepsight - - - - - - - - - - - - - - - - - - - Data source the vector was obtained from. Example: gov.nist.nvd or com.symantec.deepsight - - - - - - - - - - - - - - - - - The temporal score is the temporal multiplier times the base score. - - - - - The temporal multiplier is a number between zero and one. Reference the CVSS standard for computation. - - - - - - - - - - diff --git a/schemas/cvrf/1.1/dc.xsd b/schemas/cvrf/1.1/dc.xsd deleted file mode 100644 index 5d904c9e5a1..00000000000 --- a/schemas/cvrf/1.1/dc.xsd +++ /dev/null @@ -1,118 +0,0 @@ - - - - - - DCMES 1.1 XML Schema - XML Schema for http://purl.org/dc/elements/1.1/ namespace - - Created 2008-02-11 - - Created by - - Tim Cole (t-cole3@uiuc.edu) - Tom Habing (thabing@uiuc.edu) - Jane Hunter (jane@dstc.edu.au) - Pete Johnston (p.johnston@ukoln.ac.uk), - Carl Lagoze (lagoze@cs.cornell.edu) - - This schema declares XML elements for the 15 DC elements from the - http://purl.org/dc/elements/1.1/ namespace. - - It defines a complexType SimpleLiteral which permits mixed content - and makes the xml:lang attribute available. It disallows child elements by - use of minOcccurs/maxOccurs. - - However, this complexType does permit the derivation of other complexTypes - which would permit child elements. - - All elements are declared as substitutable for the abstract element any, - which means that the default type for all elements is dc:SimpleLiteral. - - - - - - - - - - - - - This is the default type for all of the DC elements. - It permits text content only with optional - xml:lang attribute. - Text is allowed because mixed="true", but sub-elements - are disallowed because minOccurs="0" and maxOccurs="0" - are on the xs:any tag. - - This complexType allows for restriction or extension permitting - child elements. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - This group is included as a convenience for schema authors - who need to refer to all the elements in the - http://purl.org/dc/elements/1.1/ namespace. - - - - - - - - - - - - - - This complexType is included as a convenience for schema authors who need to define a root - or container element for all of the DC elements. - - - - - - - - - - diff --git a/schemas/cvrf/1.1/prod.xsd b/schemas/cvrf/1.1/prod.xsd deleted file mode 100644 index 99fccad73ca..00000000000 --- a/schemas/cvrf/1.1/prod.xsd +++ /dev/null @@ -1,292 +0,0 @@ - - - - - - - - - - - - - - - This is the XML schema for the Common Vulnerability Reporting Framework's Product model. For more information, see the CVRF whitepaper. - - Joe Hemmerlein <joe.hemmerlein@microsoft.com> - Joe Clarke <jclarke@cisco.com> - 2012-05-07 - CVRF Product Dictionary - 1.1 - - - - - - - - Types enumerating the individual parts (stubs) that comprise a product name. - - - - - The name of the vendor or manufacturer that makes the product . - - - - - The product family that the product falls into. - - - - - The name of the product. - - - - - The version of the product. This can be a numeric or other descriptor. - - - - - The patch level of the product. - - - - - The service pack of the product. - - - - - The architecture for which the product is intended. - - - - - The language of the product. - - - - - A non-specific legacy entry. - - - - - A specification such as a standard, best common practice, etc. - - - - - The host name of a system/service. - - - - - The URI component of a system/service. - - - - - The file name component of a system/service. - - - - - - - Types enumerating the ways products can be related to each other. - - - - - This product is a default component of the referenced product. - - - - - This product is an optional component of the referenced product. - - - - - This product is an external component of the referenced product. - - - - - This product is installed on the referenced product. - - - - - This product is installed with the referenced product. - - - - - - - - - - - - - - - - - - Neutral product tree to streamline product entries that can be referenced elsewhere in the document. The end of each branch ("FullProductName") represents a referrenceable product. - - - - - - - - Defines how this product is related to another product. - - - - - - - - The ProductReference refers to the unique ProductID of the product that is to which another product will be related. - - - - - The RelationType attribute defines how the two products are related. - - - - - RelatesToProductReference refers to the unique ProductID of the product to which the ProductReference attribute value relates. - - - - - - - Container for grouping products to be used in vulnerabilities. - - - - - - A named container to associate two or more product IDs together for use in vulnerabilities. - - - - - - Optional textual description for this group. - - - - - - - - - - The ID of an existing product in this tree that is to be a member of this group. - - - - - - The unique identifier used to reference this group. - - - - - - - - - - - - This is to ensure that each FullProductName uses a unique ProductID value. - - - - - - - This is to ensure that each Group uses a unique GroupID value. - - - - - - - A key to reference a specific product. - - - - - - - An instance of the ProductKey used to define a relationship product. - - - - - - - An instance of the ProductKey used to define a related product. - - - - - - - An instance of the ProductKey used to define a product group membership list. - - - - - - - - Endpoint of product tree - this is an actual product entry. The string represents the friendly product name (i.e. the way it would be printed in other publications) - - - - - - - A value that uniquely identifies this Product entry in the scope of this document. Whenever a reference to this Product entry is needed anywhere in this document, its unique ID will be referenced. - - - - - The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms. The structure for CPE is described at http://cpe.mitre.org. - - - - - - - diff --git a/schemas/cvrf/1.1/scap-core_0.9.xsd b/schemas/cvrf/1.1/scap-core_0.9.xsd deleted file mode 100644 index 234b911a493..00000000000 --- a/schemas/cvrf/1.1/scap-core_0.9.xsd +++ /dev/null @@ -1,170 +0,0 @@ - - - - - - - - - - - - - - - Data type for the check element, a checking system specification URI, string content, and an optional external file reference. The checking system specification should be the URI for a particular version of OVAL or a related system testing language, and the content will be an identifier of a test written in that language. The external file reference could be used to point to the file in which the content test identifier is defined. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Denotes a scanner and required configuration that is capable of detecting the referenced vulnerability. May also be an OVAL definition and omit scanner name. - Identifies a tool and any associated information about the tool, such as signature versions, that indicate the tool is capable or properly detecting and/or remdiating the vulnerability or misconfiguration - - - - - Identifies a check that can be used to detect the vulnerability or misconfiguration - - - - - The CPE name of the scanning tool. A value must be supplied for this element. The CPE name can be used for a CPE from the NVD. The CPE title attribute can be used for internal naming conventions. (or both, if possible) - - - - - - - - - - - - - - - - - - - - Define the format for acceptable CPE Names. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'def', and ending with an integer. - - - - - - - - - Define the format for acceptable CPE Names. A URN format is used with the id starting with the word cpe followed by :/ and then some number of individual components separated by colons. - - - - - - - - - Define the format for acceptable - searchableCPE Names. The URI escaped code '%25' may be used - to represent the character '%' which will be interpreted as a - wildcard. - - - - - - - - - The name pattern of a CPE component. - - - - - - - - - The name pattern of the CPE part component. - - - - - - - - - - - - - - - - diff --git a/schemas/cvrf/1.1/vuln.xsd b/schemas/cvrf/1.1/vuln.xsd deleted file mode 100644 index fc090c2ac7d..00000000000 --- a/schemas/cvrf/1.1/vuln.xsd +++ /dev/null @@ -1,631 +0,0 @@ - - - - - - - - - - - - - - - - This is the XML schema for the Common Vulnerability Reporting Framework's Vulnerability model. For more information, see the CVRF whitepaper. - - Brian Schafer <bschafer@microsoft.com> - Joe Clarke <jclarke@cisco.com> - Joe Hemmerlein <Joe.Hemmerlein@microsoft.com> - 2012-05-07 - CVRF Vulnerability Dictionary - 1.1 - - - - - - - - Types enumerating a party's current engagement status for this vulnerability. - - - - - The party has acknowledged that they are aware of the vulnerability report. - - - - - The party disputes the vulnerability report in its entirety - - - - - Some hot-fixes, permanent fixes, or patches have been made available by the party, but more fixes or patches are going to be released in the future. - - - - - The party asserts that they have completed remediation of the vulnerability. - - - - - The party has been contacted, but was unresponsive or unavailable. - - - - - No contact has been attempted with the party. - - - - - - - String type to match CVE IDs - - - - - - - - String type to match CWE IDs - - - - - - - - String representing the components needed to compute the various CVSS scores - - - - - - - - Types enumerating the affected statuses described by a vulnerability - - - - - The first version known to be affected by this vulnerability. - - - - - This version is the first fixed version for the vulnerability but may not be the recommended fixed version. - - - - - This version is contains a fix for the vulnerability but may not be the recommended fixed version. - - - - - This version is known to be affected by the vulnerability. - - - - - This version is known NOT to be affected by the vulnerability. - - - - - This is the last version in a train known to be affected. Versions released after this would contain a fix for this vulnerability. - - - - - This version has a fix for the vulnerability and is the vendor-recommended version for fixing the vulnerability. - - - - - - - Types enumerating the Threat type described by the vulnerability - - - - - Impact contains an assessment of the impact on the user or the target set if the vulnerability is successful exploited. - - - - - Exploit Status contains a description of the degree to which an exploit for the vulnerability is known. - - - - - Target Set contains a description of the currently known victim population in whatever terms are appropriate. - - - - - - - Types enumerating the Remedy type described by the vulnerability. - - - - - Workaround contains information about a configuration or specific deployment scenario that can be used to avoid exposure to the vulnerability. - - - - - Mitigation contains information about a configuration or deployment scenario that helps to reduce the risk of the vulnerability but that does not resolve the vulnerability on the affected product. - - - - - Vendor Fix contains information about an official fix that is issued by the original author of the affected product. - - - - - Currently there is no fix available. - - - - - There is no fix for the vulnerability and there never will be one. - - - - - - - Existing product ID from the product tree. - - - - - Existing product group ID from the product tree. - - - - - - - - This is a meta-container for the aggregation of all fields that are related to a single vulnerability within the document. - - - - - - Vulnerability Title gives the document producer the ability to apply a canonical name or title to the vulnerability. - - - - - - - - - - Vulnerability ID gives the document producer a place to publish a unique label or tracking ID for the vulnerability (if such information exists). - - - - - - - System Name indicates the name of the vulnerability tracking or numbering system that this vulnerability ID comes from. - - - - - - - - - The Notes container holds all individual notes concerning this vulnerability. - - - - - - The Notes text contains all of the content necessary to provide different types of low-level discussions of a given vulnerability to various audiences. - - - - - - - Title should be a concise description of what is contained in Vulnerability Notes. - - - - - Audience will indicate who is intended to read the note. - - - - - Type of content within this note. - - - - - Ordinal is a locally significant integral counter indexed from 1 used to track notes. - - - - - - - - - - - - Date vulnerability was initially discovered by its original discoverer. - - - - - Date vulnerability was initially released to the public. - - - - - The Involvements container lists any number of vendor or third party interactions related to this vulnerability. - - - - - - Involvement contains a specific set of interaction details. - - - - - - The description of the Involvement. - - - - - - - - - - - Type of party with whom the involvement is taking place. - - - - - Status of the involvement with the specified party. - - - - - - - - - - The CVE string refers to the MITRE standard Common Vulnerabilities Enumeration (CVE) tracking number for the vulnerability. - - - - - Detailed description of the referrenced Common Weakness Enumeration (CWE) identifier. - - - - - - - The MITRE-assigned CWE identifier. - - - - - - - - - The ProductStatuses container holds the list of all the products affected by the vulnerability in question. - - - - - - The Status element holds an enumerated value based on available Product Name Entry items as constructed from the Product Tree container. - - - - - - - - Affected status for the product or products defined in this container. - - - - - - - - - - Contains all Threat containers - - - - - - Threat contains the "kinetic" information associated with a vulnerability. - - - - - - The description of the Threat. - - - - - - - - - - - - - The type of the Threat. - - - - - The date this Threat item was last updated; if omitted it is deemed to be unknown, irrelevant, or unimportant. - - - - - - - - - - The CVSS Score Set meta-container holds one or more CVSS score sets to describe vulnerable products. - - - - - - CVSS scores for a given product ID.  If the ProductID attribute is omitted, the score applies to all vulnerable products. - - - - - - The CVSS Base Score is the numeric value of the computed CVSS Base Score which should be a float from 0 – 10.0. - - - - - The CVSS Base Score is the numeric value of the computed CVSS Temporal Score which should be a float from 0 – 10.0. - - - - - The CVSS Base Score is the numeric value of the computed CVSS Environmental Score which should be a float from 0 – 10.0. - - - - - The CVSS Vector string is the official notation that contains all of the values used to compute the Base, Temporal, and Environmental scores. - - - - - - - - - - - - The Remediation meta-container tag holds all related Workaround, Mitigation, Vendor Fix, and Entitlement entries that are associated with the specific vulnerability. - - - - - - Holds all of the specific details on how to handle (and presumably, fix) the vulnerability, tied to Product ID. - - - - - - Textual description of this remedy. - - - - - - - - - - The Entitlement string will contain any possible vendor-defined constraints for obtaining fixed software or hardware that fully resolves the vulnerability. - - - - - - - - - - URL from which the remedy can be obtained. - - - - - - - - Specific type of remedy. - - - - - The date Remedy was last updated, if omitted it is deemed to be unknown, unimportant, or irrelevant. - - - - - - - - - - This meta-container should include references to any conferences, papers, advisories, and other resources that are related to this vulnerability. - - - - - - This meta-container contains an orthogonally related document, background info, whitepaper, etc. to the specific vulnerability. - - - - - - The URL of the related document. - - - - - The description of the related document. - - - - - - - - - - - Enumerated type value of reference relative to this document. - - - - - - - - - - The Acknowledgments container holds one or more Acknowledgement containers for vulnerability-level acknowledgements. - - - - - - The Acknowledgment container holds recognition for external parties who were instrumental in the discovery of, reporting of, and response to the vulnerability. - - - - - - The name (i.e., individual name) of the party being acknowledged. - - - - - - - - - - The organization of the party being acknowledged or the organization itself being acknowledged. - - - - - - - - - - The details of the acknowledgment that address the recognition of external parties who were instrumental in the discovery, reporting and response of this document. - - - - - - - - - - The optional URL to the person, place, or thing being acknowledged. - - - - - - - - - - - - Locally significant numeric value to track vulnerabilities within a CVRF document. This enables vulnerabilities to be referenced from elsewhere inside the document (often at the document-level) - - - - - - This is to ensure that each product mentions a given ProductID only one. - - - - - - - This is to ensure that each CVSS score set mentions a given ProductID only one. - - - - - - - This is to ensure that each note has a unique ordinal value. - - - - - -